
<div dir="ltr">Hi, <div><br></div><div>To achieve something like that, you have to use junctions. </div><div>You'll have one source with flags(no-parse), then embed a filter+parser junction to process regular syslog messages, and another junction to process the ones you cannot parse.</div><div><br></div><div>For details, see the 8.3 example at <a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/junctions.html" target="_blank">https://www.balabit.com/<wbr>documents/syslog-ng-ose-<wbr>latest-guides/en/syslog-ng-<wbr>ose-guide-admin/html/<wbr>junctions.html</a> and <a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/parser-syslog.html">https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/parser-syslog.html</a></div><div><br></div><div>HTH, </div><div><br></div><div>Robert</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 22, 2017 at 2:45 PM, 'Miah Lang' via SYSLOG-NG <span dir="ltr"><<a href="mailto:syslog-ng@balabit.com" target="_blank">syslog-ng@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div><br></div><blockquote type="cite">


<div class="m_-4684994580070735645WordSection1">

<p class="MsoNormal">Is it possible to configure multiple sources, one with flags(no-parse) and one without?<u></u><u></u></p>

<p class="MsoNormal"> <u></u><u></u></p>

<p class="MsoNormal">e.g.<u></u><u></u></p>

<p class="MsoNormal"> <u></u><u></u></p>

<p class="MsoNormal">source <b>s_syslog-ports</b> {<u></u><u></u></p>

<p class="MsoNormal">        udp(port(514));<u></u><u></u></p>

<p class="MsoNormal">        tcp(port(1514) max-connections(100));<u></u><u></u></p>

<p class="MsoNormal">        tcp(port(514) max-connections(100));<u></u><u></u></p>

<p class="MsoNormal">};<u></u><u></u></p>

<p class="MsoNormal"> <u></u><u></u></p>

<p class="MsoNormal">source <b>s_syslog_np-ports </b>{<u></u><u></u></p>

<p class="MsoNormal">        udp(port(514) flags(no-parse));<u></u><u></u></p>

<p class="MsoNormal">        tcp(port(1514) max-connections(100) flags(no-parse));<u></u><u></u></p>

<p class="MsoNormal">        tcp(port(514) max-connections(100) flags(no-parse));<u></u><u></u></p>

<p class="MsoNormal">};<u></u><u></u></p>

<p class="MsoNormal"> <u></u><u></u></p>

<p class="MsoNormal">filter f_Cisco-router { in-list("/etc/syslog-ng/<wbr>filter/Cisco-router.txt", value("SOURCEIP")); };<u></u><u></u></p>

<p class="MsoNormal">destination d_Cisco-router {file("/var/log/IT/network/<wbr>router/cisco/${SOURCEIP}/${<wbr>SOURCEIP}-${YEAR}${MONTH}${<wbr>DAY}.log" template(t_message-only));};<u></u><u></u></p>

<p class="MsoNormal">log {source(<b>s_syslog-ports</b>); filter(f_Cisco-router); destination(d_Cisco-router);};<u></u><u></u></p>

<p class="MsoNormal"> <u></u><u></u></p>

<p class="MsoNormal">filter f_Cisco-switch { in-list("/etc/syslog-ng/<wbr>filter/Cisco-switch.txt", value("SOURCEIP")); };<u></u><u></u></p>

<p class="MsoNormal">destination d_Cisco-switch {file("/var/log/IT/network/<wbr>switch/cisco/${SOURCEIP}/${<wbr>SOURCEIP}-${YEAR}${MONTH}${<wbr>DAY}.log" template(t_message-only));};<u></u><u></u></p>

<p class="MsoNormal">log {source(<b>s_syslog_np-ports</b>); filter(f_Cisco-switch); destination(d_Cisco-switch);};<u></u><u></u></p>

<p class="MsoNormal"> <u></u><u></u></p>

<p class="MsoNormal">Whenever I do this, I get an error message when restarting the service.<u></u><u></u></p>

<p class="MsoNormal">“Job for syslog-ng.service failed because the control process exited with error code. See "systemctl status syslog-ng.service" and "journalctl -xe" for details.”

<u></u><u></u></p>

<p class="MsoNormal">“Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.”<u></u><u></u></p>

<p class="MsoNormal"><span style="color:rgb(64,64,64);font-size:10pt;font-family:Calibri,sans-serif"> </span></p>

</div>


</blockquote></div><br>______________________________<wbr>______________________________<wbr>__________________<br>

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>

<br>

<br></blockquote></div><br></div>